CWE-770
Allocation of Resources Without Limits or Throttling
Description
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528
CVEs mapped to this weakness (964)
page 47 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-10758 | 0.00 | — | 0.02 | Sep 16, 2020 | A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. | |||
| CVE-2020-15168 | 0.00 | — | 0.02 | Sep 10, 2020 | node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have… | |||
| CVE-2020-8203 | — | 0.00 | — | 0.05 | Jul 15, 2020 | Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | ||
| CVE-2020-15100 | — | 0.00 | — | 0.00 | Jul 14, 2020 | In freewvs before 0.1.1, a user could create a large file that freewvs will try to read, which will terminate a scan process. This has been patched in 0.1.1. | ||
| CVE-2020-13250 | — | 0.00 | — | 0.03 | Jun 11, 2020 | HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4. | ||
| CVE-2020-10705 | — | 0.00 | — | 0.01 | Jun 10, 2020 | A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service. | ||
| CVE-2020-12697 | — | 0.00 | — | 0.01 | May 13, 2020 | The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Service via log entries. | ||
| CVE-2020-8552 | 0.00 | — | 0.02 | Mar 27, 2020 | The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests. | |||
| CVE-2020-8551 | 0.00 | — | 0.01 | Mar 27, 2020 | The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API… | |||
| CVE-2019-11939 | 0.00 | — | 0.02 | Mar 18, 2020 | Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This… | |||
| CVE-2020-7219 | — | 0.00 | — | 0.02 | Jan 31, 2020 | HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. | ||
| CVE-2020-7218 | — | 0.00 | — | 0.01 | Jan 31, 2020 | HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3. | ||
| CVE-2020-7226 | — | 0.00 | — | 0.03 | Jan 24, 2020 | CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of… | ||
| CVE-2019-16770 | — | 0.00 | — | 0.02 | Dec 5, 2019 | In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait… | ||
| CVE-2019-12406 | — | 0.00 | — | 0.06 | Nov 6, 2019 | Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments.… | ||
| CVE-2019-17359 | — | 0.00 | — | 0.09 | Oct 8, 2019 | The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. | ||
| CVE-2019-16865 | — | 0.00 | — | 0.03 | Oct 4, 2019 | An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image. | ||
| CVE-2019-15753 | — | 0.00 | — | 0.03 | Aug 28, 2019 | In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of… | ||
| CVE-2019-15544 | — | 0.00 | — | 0.04 | Aug 26, 2019 | An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls. | ||
| CVE-2019-9514 | — | 0.00 | — | 0.83 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the… |
- CVE-2020-10758Sep 16, 2020risk 0.00cvss —epss 0.02
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.
- CVE-2020-15168Sep 10, 2020risk 0.00cvss —epss 0.02
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have…
- CVE-2020-8203Jul 15, 2020risk 0.00cvss —epss 0.05
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
- CVE-2020-15100Jul 14, 2020risk 0.00cvss —epss 0.00
In freewvs before 0.1.1, a user could create a large file that freewvs will try to read, which will terminate a scan process. This has been patched in 0.1.1.
- CVE-2020-13250Jun 11, 2020risk 0.00cvss —epss 0.03
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.
- CVE-2020-10705Jun 10, 2020risk 0.00cvss —epss 0.01
A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.
- CVE-2020-12697May 13, 2020risk 0.00cvss —epss 0.01
The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Service via log entries.
- CVE-2020-8552Mar 27, 2020risk 0.00cvss —epss 0.02
The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests.
- CVE-2020-8551Mar 27, 2020risk 0.00cvss —epss 0.01
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API…
- CVE-2019-11939Mar 18, 2020risk 0.00cvss —epss 0.02
Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This…
- CVE-2020-7219Jan 31, 2020risk 0.00cvss —epss 0.02
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
- CVE-2020-7218Jan 31, 2020risk 0.00cvss —epss 0.01
HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3.
- CVE-2020-7226Jan 24, 2020risk 0.00cvss —epss 0.03
CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of…
- CVE-2019-16770Dec 5, 2019risk 0.00cvss —epss 0.02
In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait…
- CVE-2019-12406Nov 6, 2019risk 0.00cvss —epss 0.06
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments.…
- CVE-2019-17359Oct 8, 2019risk 0.00cvss —epss 0.09
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
- CVE-2019-16865Oct 4, 2019risk 0.00cvss —epss 0.03
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
- CVE-2019-15753Aug 28, 2019risk 0.00cvss —epss 0.03
In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of…
- CVE-2019-15544Aug 26, 2019risk 0.00cvss —epss 0.04
An issue was discovered in the protobuf crate before 2.6.0 for Rust. Attackers can exhaust all memory via Vec::reserve calls.
- CVE-2019-9514Aug 13, 2019risk 0.00cvss —epss 0.83
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the…